ON SOME BLOCK CIPHERS AND IMPRIMITIVE GROUPS 
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Abstract. The group generated by the round functions of a block ciphers is a widely 
investigated problem. We identify a large class of block ciphers for which such group 
is easily guaranteed to be primitive. Our class includes the AES and the SERPENT. 



1. Introduction 

Most block ciphers are iterated block ciphers, i.e. they are obtained by the composi- 
tion of several "rounds" (or "round functions" ) . A round is a key-dependent permutation 
of the message/cipher space. To achieve efficiency, all rounds share a similar structure. 

For a given cipher, it is an interesting problem to determine the permutation group 
generated by its round functions (with the key varying in the key space) , since this group 
might reveal weaknesses of the cipher. However, these results usually require an ad-hoc 
proof (with a notable recent exception |14j). 

In this paper we consider a class of block ciphers, large enough to contain some 
well-known ciphers (like the AES and the SERPENT), which is such that the primi- 
tivity of the related group can be easily established by only checking some properties 
of its S-Boxes. Our results may be useful to cipher designers wanting to avert group 
imprimitivity, since in our context they would do it easily. 

2. Preliminaries 

2.1. Group theory and finite field theory. Let G be a finite group acting tran- 
sitively on a set V and H < G a subgroup. We write the action of an element 
5 € G on an element a £ ^ as ag. Also, aG = {ag : g (z G} is the orbit of a 
and Ga = { g & G : ag = a} is its stabilizer. A partition B oi V is G-invariant if 
for any B ^ B and g G, one has Bg € B. Partition B is trivial if B = {V} or 
B = {{a} : a V }. If B is non-trivial then it is a block system for the action of G 
on V (and any B ^ B is a block). If such a block system exists, then we say that G 
is imprimitive in its action on V (equivalently, G acts imprimitively on V). If G is 
not imprimitive (and it is transitive), then we say that it is primitive. Since G acts 
transitively on V, we have then B = { Bg : g G G }. 

Lemma 2.1 ([1], Theorem 1.7). Let G be a finite group, acting transitively on a set V. 
Let a (zV. Then the blocks B containing a are in one-to-one correspondence with the 
subgroups H such that with Ga < H < G. The correspondence is given hy B = aH. 
In particular, G is primitive if and only if Ga is a maximal subgroup of G. 
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We denote by Sym{V) and Alt{V), respectively, the symmetric and alternating group 
on V. When F is a vector space over a finite field Fg with q elements, we also denote by 
T{V) the translation group T{V) = {a^ : v G V }, where ay : V ^ V, w i-^ w + v . 
It is well-known that T(y) is a transitive subgroup of Sym(y), which is imprimitive 
except for the trivial case V = ¥p, with p a prime. Any block system B of T(y) is the 
set of translates of a proper vector subspace W of V, that is, B = {W + v \ v £ V}. 
We denote by AGL(y) the group of all affine permutations of V, which is a primitive 
maximal subgroup of Sym(T^), and by GL(y) the group of all linear permutations of V, 
which is a normal subgroup of AGL(V). 

We will need the following result from finite field theory. 

Theorem 2.2 ([8],0]). Let F be a field of characteristic two. Suppose [/ 7^ is an 
additive subgroup of F which contains the inverses of each of its nonzero elements. 
Then f/ is a subfield of F. 



2.2. Vectorial Boolean functions. Let m > 1 be a natural number. Let A = (F2)™ 
and A* = A \ {0}. Any function F : A ^ A is a vectorial Boolean function (vBf). 

For any function F : A ^ A and any elements a, b £ A, a ^ 0, we denote 

Sp{a, b) = \{xeA: F{x + o) + F{x) = b}\ . 

Let 5 € N. Function F is called a differentially 5-uniform function ([lOj) if 

VaG^*,V6GA, 5F{a,b)<5. 

The smallest such 6 is called the differential uniformity of F. Note that 5 '>2 for any 
vBf. Differentially 2-uniform mappings are called almost perfect nonlinear^ or APN for 
short. If we denote by Fa the vBf which maps x ^ F(x + a) + F(x), then F is differential 
5-uniform if and only if \{Fa)~^{b)\ < 6 (for any a and b). From now on, we shorten 
"differential uniformity" to "uniformity". 

Vectorial Boolean functions used as S-boxes in block ciphers must have low uniformity 
to prevent differential cryptanalysis (see [9l [TO]). In this sense, APN functions are 
optimal. However, numerous experiments suggest the following conjecture 

Conjecture 2.3 (Dobbertin). If m is even, no APN function is a permutation. 

If this conjecture is true, then APN functions cannot be used as S-Boxes, since im- 
plementation issues require an even m. 

Any vBf can also be regarded as a polynomial in F2™ [x] (with degree at most 2"^ — 1). 
When m is even, the patched inverse function ~^ is a 4-uniform permutation (|10j) 
and was chosen as the basic S-box, with m = 8, in the Advanced Encryption Standard 

(AES) m). 

2.3. Previous results on the group generated by the round functions. Let C 

be any block cipher such that the plain-text space M coincides with the cipher space. 
Let /C be the key space. Any key k € JC induces a permutation on A^. Since Ai 
is usually V = (F2)" for some n G N, we can consider G Sym(y). We denote by 
r = r(C) the subgroup of Sym(F) generated by all the r^'s. In literature the following 
properties of F are considered undesirable, since they could lead to weaknesses of C: 
small cardinality, imprimitivity and intransitivity. For a detailed discussion of their 
consequences, see [11]. We would add that F should not be a subgroup of AGL(y), 
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otherwise it is obvious how to break the cipher. If T turns out to be Alt(y) or Sym(y), 
these properties are automatically avoided. Note also that primitivity alone guarantees 
a non-negligible group size, but it could still be that T would be weak (as for example 
if r < AGL{V)). 

Unfortunately, the knowledge of r(C) is out of reach for the most important ciphers 
(such as the AES, the SERPENT, the DES, the IDEA). However, researchers have been 
able to compute another related group. Suppose that C is the composition of / rounds. 

Remark 2.4. Note that the division into rounds is not mathematically well-defined, but 
it is provided in the document describing the cipher, so this division is debatable and a 
cryptanalyst is allowed to modify it, if it is convenient. 

Then any key k would induce / permutations, i, . . . ,rfc^i, whose composition is r^. 
For any round h, we can consider Th{C) as the subgroup of Sym{V) generated by the 
Tfc /j's (with k varying in V). We can thus define the group Too = roo(C) as the subgroup 
of Sym(y) generated by all the T^s. We note the following elementary fact. 

Fact 1. r < Too . 

Group Too is traditionally called the group generated by the round functions. Note that 
independent sub-keys are implicitly assumed. We collect in the following proposition 
some previous results on T^o- 

Proposition 2.5. 

. roo(AES) = Alt(y) [16J, 

• roo(SERPENT) = Alt{V) [EI, 

• roo(DES) =Alt{V) [IS]. 

The proof of any of the results in Proposition 12.51 requires an ad-hoc proof. Recently, 
a generalization of some of these results have been proposed |14j. 

3. A CLASS OF BLOCK CIPHERS 

Several definitions have been proposed for iterated block ciphers (see e.g. key- alternating 
block cipher in [2J, or Rjindael-like ciphers in [H]). We would like to define a class, large 
enough to include most common ciphers, yet restricted enough to have simple criteria 
guaranteeing the primitivity of Too ■ 

Let C be a block cipher with V = (F2)" and n = ms, s > 2. Space y is a direct sum 

where each Vi has the same dimension m (over F2). For any v (z V, we will write 

V = vi ® ■ ■ ■ ® Vs, where Vi GVi. Also, we consider the projections iTi : V ^ Vi mapping 

V 1-^ Vi. Any 7 G Sym(y) that acts as 

= Vl'Jl • • • © Vs'Js, 

for some ji G Sym(Vi), is a bricklayer transformation and any 7^ is a brick. When 
used in symmetric cryptography, maps 7j's are traditionally called S-hoxes and map 7 
is called a "parallel S-box". 

A linear (or affine) map X :V is traditionally called a "mixing layer" , when used 
in composition with parallel maps. 

In the following definitions we are not following established notation. 
We call any linear map A G GL(y) a proper mixing layer if no sum of some of the 
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Vi (except { } and V) is invariant under A. A similar definition can be given when 
A G AGL(y). 

We define our class. 

Definition 3.1. We say that C is translation based (tb) if it is the composition of some 
rounds, such that any is of the form = ^h^hf^k, with k £ V {jh and do not depend 
on k, but they might depend on the round), where 7/j is a bricklayer transformation and 
\h is a linear map (but is a proper mixing layer for at least one round). 

A round when the mixing layer is proper is called a proper round. 

Remark 3.2. A round consisting of only a translation is still acceptable, by taking 7/j = 
Xh = ly (the identity map on y), although obviously it is not proper. 

The previous definition is similar to key- alternating block cipher (see Section 2.4.2 
of [2]), although the latter is too general for our goals. 

From now on, we assume C is a tb cipher and that O7 = (this can always be 
assumed). From the knowledge of block systems of T{V), we immediately obtain the 
following. 

Fact 2. Let G = Th{C) for any round h. Then T = TiV) C G. Therefore, if G acts 
imprimitively on = V , the blocks of imprimitivity are the translates of a linear 
subspace. 

Proof. We show T C G. For any k € V, we have "fh^h^^k ^ G. By considering the zero 
key, we have also -fhXhcro = G G. Therefore, {-fh\)~^lh\(yk = (Jk^G. □ 

Corollary 3.3. Let G = Th{C) for any round h. Then G acts imprimitively if and only 
if there is a subspace U <V {U ^ {0}, V) such that for any v € V and u G U, we have 

(3.1) {v + u)-fhXh + vjh^h e U. 

Proof. G is imprimitive if and only if there is a block system of type {v + U}, for some 
subspace U,U ^ {0},V. 

It is enough to consider a zero round key, so that 

{v + U)-fhXhao = v-fhXh.ao + U =^ (v + U)-fhXh = v-fhXh + U . 

□ 

4. Main results 

We define for a vBf / two new notions of non-linearity. The first is weaker than 
5-uniformity. 

Definition 4.1. For any m > 2 and 6 > 2, let A = (F2)™ and / G Sym(^). We say 
that / is weakly (5-uniform if for any u E A, u 7^ 0, the size of image of fu is at least 

|Im(/„)|>^ + l. 

It is trivial to prove that a 5-uniform map is indeed weakly (5-uniform. 
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Proof. Let B = liai{fu). If / is (5-uniform, then [(/„) ^(6)| < 6, for any b £ B. 
From A = l-ibeB{fu)~^ib), we have 

A = Uh^Bifu)'Hb) ^ 2™ = !^i = J] \{furHb)\ < m 

b&B 

which means 

1^1 > ^ > 



6 6 + 2' 

□ 

Remark 4.2. If a function / is weakly 5-uniform, with 2*" > (5 and the image Im(/„) 
is contained in a subspace W , then the dimension of W is at least m — r. This is the 
property of / which will be needed in the proof of Theorem 14.41 Interestingly, if / is 
(5-uniform (as in Subsection 2.2), then the dimension of W which can be guaranteed is 
exactly the same (and not any bigger). 

Our second notion focuses on the image of vector spaces. 

Definition 4.3. Let A = (F2)™'. We say that / is Z-anti-invariant if for any subspace 
U < A such that f{U) = U we have dim(C/) < m — I or U = A. 

We say that / is strongly /-anti- invariant, if for any two subspaces U,W < A, such 
that /([/) = W, we have dim(C/) = dim(VF) <m-l or U = W = A. 

In other words, /-anti-invariant means that the largest subspace invariant under / has 
codimension greater than I (except for A itself), while strongly I anti-invariant means 
that the largest subspace sent by / into another subspace has codimension greater than 
I (except for A itself). 

We are ready for our main result (recall that O7 = 0). 

Theorem 4.4. Let C be a tb cipher, with X^, a proper mixing layer, and G = Th{C). 
Let 1 < r < m/2. If any brick of jh is weakly 2''-uniform and strongly r-anti- invariant, 
then G is primitive and hence Too{C) is primitive. 

Proof. We drop the /i-underscript in this proof and we suppose, by way of contradiction, 
that G is imprimitive. 

Let U be any proper subspace of V s.t. {v + U}yQV form a block system for G. Since 
[/ is a block and 7A G G, we have UjX = U + v for some v € V. But O7A = G U + v, 
so V = and 

(4.1) U-fX = U . 

Let / be the set of ah i s.t. 7rj(C/) / 0. Clearly, 1/0. Then: 

• either U riVi = Vi for all i G /, 

• or there is z. G / s.t. U nV^ ^ V^. 

In the first case, U = 0/14, which means U'j = U. But ()4.ip implies UX = U, which is 
impossible since A is a proper mixing layer. 

In the second case, we denote W = Uj (equal to UX'^ by dUI])) and we note that 

(4.2) {u n yjy = wnv,, 

where 7' = 7^ is the brick of 7 in V^. By Corollarv l3.3l we have that B = Im(7^) C WnV^ 
for any u G U nV^. But 7' is weakly 2''-uniform, so (Remark 14. 2p dim(Ty n = 
dim(U n K) > m — r. By (|4.2p . this is impossible, since 7' is strongly r-anti-invariant. 

□ 
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To apply our theorem to the AES, we first need a simple lemma. 

Lemma 4.5. Let / be a vBf. If = 1 and / is 2r-anti-invariant with 1 < r < m/2, 
then / is strongly r-anti-invariant. 

Proof. Let U, W be subspaces of codimension / such that Uf = W. Let us consider 
Z = U OUf. By standard linear algebra, dim(Z) > n — 21. Since Zf = Z and / is 
2r-anti-invariant, I must be / > r, and so U and W have codimension strictly bigger 
than r. □ 



The first interesting consequence of our theorem is the following. 

Corollary 4.6. Any typical round h of the AES satisfies the hypotheses of Theorem l4.4[ 
As a consequence, both Th{AES) and roo(^-E<S') are primitive. 

Proof. We first show that the mixing layer A = A/^ of a typical round of the AES is proper. 
Suppose U / { } is a subspace of V which is invariant under A. Suppose, without loss 
of generality, that U ^Vi. Because of MixColumns \T; 3.4.3], U contains the whole first 
column of the state. Now the action of Shif tRows |2i 3.4.2] and MixColumns on the 
first column shows that U contains four whole columns, and considering (if the state 
has more than four columns) once more the action of ShiftRows and MixColumns, one 
sees immediately that U = V. 

The S-box 7' is well-known to satisfy (for any n ^ 0) Im(7^) = 2'' — 1 > 2^ + 1 and 
so it is weakly 2-uniform. 

To apply the theorem we need only to show that 7' is strongly 1-anti-invariant. Since 
(7')'^ = 1, we want to apply Lemma 14.51 with r = 1. Indeed, 7' is well-known to be 
3-anti-invariant, since the only nonzero subspaces of GF(2^) which are invariant under 
inversion are the subfields (Theorem 12. 2p . and so the largest proper one is GF(2^), of 
codimension 4 > 3. 

□ 



The second interesting consequence is the following. 

Corollary 4.7. Any typical round h of the SERPENT satisfies the hypotheses of Theo- 
rem [131 As a consequence, both Th{SERPENT) and Too{SERPENT) are primitive. 

Proof. The conditions of Theorem 14.41 are satisfied with r = 1, as can be seen by a direct 
computer check on all Serpent S-boxes and on its mixing layer ([I3|)- D 
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